Leaderboard

Interesting article on MEID on howard forum ESN vs. pESN/MEID Explained (or, Never The Twain Shall Meet in Their Firmware) The whole issue of ESN vs. pESN/MEID firmware made me curious, especially with the problems VZW Moto owners have had trying to flash one type of phone with firmware designed and compiled for the other type of phone. The result has been 99+% certain to brick the phone, recovery from which is, at best, very difficult. Recommendation: The Firmware Tracker should be revised to positively and very clearly track whether a particular firmware revision is for an ESN or MEID phone! The confusion between the two has (from what I've read on this forum) bricked a good number of phones. I read in a (much too) brief summary that MEID came about to solve the problem of running out of unique ESN to assign to new CDMA and TDMA phones. The MEID was supposed to be implemented with CDMA2000, but ESN is being exhausted sooner than anticipated (or sooner than CDMA2000 can completely replace CDMA with EVDO). GSM phones currently use a decimal IMEI number, but GSM came later, realized the ESN problem, and started with a longer number. Found more details about ESN and MEID today. That summary is the crux of it. There's more though, and it explains clearly why firmware for ESN phones should never be used on pESN/MEID phones, and vice versa. The firmware for them are not interchangeable! The FCC requires that phones have a unique, embedded, permanently hard-wired ID number in each phone. In other words, a number that cannot be changed by reprogramming or flashing. The industry, phone makers and cellular service carriers support this requirement too. This unique number identifies a specific phone globally, independent of carrier or manufacturer (although part of the number can ID who made the phone). For AMPS, CDMA and TDMA phones, this globally unique number is its ESN. For pESN/MEID CDMA and TDMA phones, it's the MEID (not the pESN). For GSM phones, it's the decimal IMEI An ESN is 8 hexadecimal digits long and dates back to AMPS. The first part of an ESN is a manufacturer identifier. This simplifies global management of ESN by assigning blocks of numbers to phone makers (e.g. Motorola, Samsung), and the manufacturer controls the assigning rest of the number to a phone within their blocks of numbers. Same concept as the globally unique MAC hard-wired and embedded on all network controllers (aka MAC address). The problem with the 8-digit (in hexadecimal) ESN came along much sooner than originally anticipated with the explosion of cell phone use globally, and how quickly cell phones are replaced (much to the glee of the companies that make them). Cell phones, especially carriers' cheaper ones, along with most pre-paid are considered throw-aways. Once assigned, an ESN cannot be re-used -- ever -- on any phone made by anyone, anywhere -- even if the ESN is known to have been on a phone that was permanently destroyed. This means (in decimal) that theoretically ~4.295 Billion AMPS/CDMA/TDMA phones could be made with globally unique ESNs. Several blocks have been reserved, and lack of good record keeping early on has prevented using some other blocks. That reduces the number that can actually be used, and they're projected to run out soon. If that happened without a replacement for the ESN, phone manufacturers would not be able to make any new AMPS, CDMA or TDMA phones. Zero, nada, zip, null, none . . . and that would be a cataclysm of epic proportion for the entire cellular industry (at least the AMPS, CDMA and TDMA portion). GSM came along after AMPS implemented the ESN, and it already has the longer number capability. This exhaustion of ESN was foreseen some time ago within the TIA which assigns ESN blocks and the GSM ***'n which handles IMEI numbers. The new system will unify ESN with IMEI and allow for "global" phones with both CDMA (or TDMA) and GSM inside them. It uses a 14-digit hexadecimal number allocated as follows for CDMA/TDMA and GSM phones:GSM: Decimal numbers that, when translated into their 14-digit hexadecimal equivalent are 0x98FFFFFFFFFFFF or lower CDMA/TDMA: 14-digit hexadecimal numbers 0xA0000000000000 or higher Global with both CDMA (or TDMA) and GSM: Decimal numbers that, when translated into their 14-digit hexadecimal equivalent, begin with 0x99. Should be no surprise that the MEID found in newer VZW phones (instead of an ESN) are 14-digit hex numbers, and they all begin with 0xA0. If the new system for CDMA/TDMA phones replaces the ESN with a longer MEID, what's the pESN for? pESN is short for pseudo-ESN. It's an 8-digit hexadecimal number that can be calculated using the MEID. The reason for the pESN is portions of CDMA and TDMA networks, especially VZW still need a number of ESN length in their "back end" systems that handle things like SMS. Those portions of the network haven't been converted yet. In the interim they must use a pESN instead as they cannot handle the larger MEID. There's a looming problem with the pESN though. It's only a stop-gap until everything in VZW's system can handle the longer MEID, and remain compatible with legacy handsets using the shorter ESN. While the manner in which a pESN is calculated was designed to reduce the probability of two different MEID having the same pESN occurring, it doesn't guarantee it won't happen. The first two hex digits of a pESN are 0x80 which uniquely identifies it immediately as a pESN, not an ESN. The trailing six hex digits are calculated by performing an SHA-1 hash of the entire MEID (in hexadecimal). The leading 0x80 is appended with the trailing six hex digits of the MEID SHA-1 hash. VZW doesn't need the pESN from a phone, only the MEID, and from that the pESN can be calculated (computers can do it extremely quickly). Because multiple different MEID can generate the same pESN, if enough MEID handsets are activated before network use of the pESN is dropped completely, duplicate pESN will start showing up. Duplicate ESN (or pESN) on a network is called an ESN collision. It wreaks huge havoc on how data is routed to that ESN, and with service provision to the devices with the duplicate ESN. Currently, the probability is very near zero as only a very few MEID phones on VZW, but the probability rises rapidly as more pESN/MEID phones are activated on their network. Some studies have been performed about the risks to predict the threshold at which they become unacceptable, but the study methods are still being debated. The threshold number of MEID phones is much lower than most think before the risk of duplicate pESN rises quite dramatically. Pick 23 people at random and there's a 50% (or greater) probability at least two of them have the same birthday. Add another 34 people at random to the initial 23 (total of 57) and the probability of duplicate birthdays rises to over 99%. Statisticians and mathematicians call this the "Birthday Paradox" and the problem of duplicate pESN appearing has strong statistical similarities. This is also why an MEID phone cannot be used on an ESN-only network by registering its pESN in lieu of a true ESN -- and it's no doubt Sprint, Alltel, etc. have their system set up to block registration of any ESN beginning with 0x80. The firmware inside an MEID phone: Can handle the longer MEID Can generate the phone's pESN "on the fly" from its MEID ESN phone firmware cannot do this. Little wonder to me that cross-flashing ESN firmware into an MEID phone and cross-flashing MEID firmware into an ESN phone bricks them. The length of an ESN is not the same as an MEID. Undoubtedly the firmware barfs when that's encountered as the phone attempts to boot. The problem of exhausting the ESN is both manufacturer and network. They both must begin using MEID. It appears that VZW has either hit the wall first, or has decided to get out in front of the problem. The other TDMA and CDMA networks must begin using MEID very soon or they won't be able to offer new handsets to anyone. Be patient. The MEID wasn't something VZW decided to do apart from the rest of the CDMA networks. All CDMA and TDMA network providers will convert to MEID, and it won't much longer before they do -- or die. VZW is apparently the first one to begin the MEID conversion. MEID firmware will eventually show up for Sprint, Alltel, USCC, etc. (even VIVO must convert to MEID).